Conficker didn't bring the Internet crashing down on April 1, but the virus is …

Share this story

April 1 may not have turned into the D-day that some feared Conficker might create, but the newest version of the worm (Conficker.C) is still out in the wild with mischief on its mind. The malware's creators released a new patch on April 7; the group obviously intends to continue its active war against security researchers. Such tenacity has been a trait of Conficker since the parasite first appeared on the 'Net near the end of 2008. Each version of Conficker has delivered new "features" or tricks intended to bypass security patches; the April 7 update is no exception.

As reported by Trend Micro, this newest flavor is designed to deliver a Conficker update through the use of P2P networking. As of now, Trend Micro is picking up Conficker as Worm_Downad.E (no idea what happened to "D" in there). There's some interesting things about this new flavor, including the fact that it comes pre-wrapped with a stop date. On May 3, this new, P2P-distributed version will stop working. Most malware doesn't come with a "Do Not Use After XXX" date, but there's also some signs that the authors have restored functionality that originally wasn't part of the April 1 Conficker.C.

If you recall, Conficker.C was rather more defensive than its predecessors and introduced multiple techniques to obfuscate attempts to detect or remove it. Conficker.E (for lack of a better term) still employs Conficker.C's tricks, but again scans for machines on a network that may not have been patched with MS08-67. This is also the first time we've seen evidence of a Conficker-Waledec connection; one of the domains a Conficker-infected system will attempt to access is a known Waledec haven.

Meanwhile, back at the ranch, Dan Kaminsky has updated his blog with another round of scanning tools as well as some perspective on the April 1 nonevent. "I'm sorry the bad guys aren't quite the eschatologists some people would like them to be," writes Kaminsky, "but somebody's been investing extraordinary amounts of resources making a worm very difficult to kill. There's a bad guy out there, and while we shouldn't panic, we shouldn't quite ignore the situation either."

Speaking of ignoring the situation, there's at least one confirmed spam campaign issuing false Conficker reports (supposedly from Microsoft) advising users to update immediately. As reported by Marshal8e6 TRACElabs, the e-mails claim that the worm began infecting Microsoft computers "unusually rapidly" as of 4/01/2009, and that your ISP has informed the company that your PC is infected. Why your ISP wouldn't simply inform you, is the logic flaw in this particular missive, but phishing e-mails aren't known for their intelligent appeal. As always, readers are advised to make certain that your system is being infected by the real Conficker virus, not some hackneyed copy.

Those of you who would like a step-by-step walkthrough of how Conficker infects a host, what the MS08-67 exploit actually is, and why the worm has posed such a challenge over the past six months are encouraged to read The Honeynet Project's full report (PDF) on Conficker. It's more-or-less the definitive guide to this particular virus, and it represents the concerted efforts of both companies and individuals. Conficker-Storm comparisons are inevitable, but for the moment, Conficker seems to be more under control than Storm was at this stage of its life. Hopefully things will stay that way.